DealLawyers.com Blog

August 30, 2024

Due Diligence: Cybersecurity Issues in M&A

A new WTW article provides an in-depth analysis of the cybersecurity issues that should be addressed during the due diligence process for an acquisition. Topics covered include potential liability risks, costs required to upgrade the target’s systems, the target’s cyber insurance coverages, and the differences in cyber risk profiles between strategics and private equity buyers.  This excerpt suggests some best practices for addressing cybersecurity issues in an acquisition:

1. Assess past cybersecurity incidents

– Evaluate if the target company has completed necessary system updates and due diligence.
– Consider lingering third-party claims from past incidents in the risk assessment.

2. Evaluate data storage practices

– Assess if data storage systems need updates to meet current cybersecurity standards.
– Ensure third-party data stored in the target’s systems is adequately protected.

3. Review vendor agreements

– Verify that necessary safeguards are in place, including audit requirements, continuous monitoring, and incident response plans for vendors.
– Ensure privacy disclaimers are clear to third-party clients.
– Clarify data ownership and the purpose for which it is collected.

4. Update incident response plan

– Review and update the target’s incident response plan to align with the acquiring company’s standards and practices.

The article also includes a seven-point due diligence checklist for buyers to use in assessing the cyber risks associated with the target’s business. Enjoy the Labor Day weekend.  Our blogs will be back on Tuesday.

John Jenkins